It’s surprisingly easy to become part of what cybersecurity consultant Michael B. Williams calls the “1%” — that one in 100 people whose online life is secure enough that hackers just can’t be bothered to try to break into their accounts.

“Most hackers are in it not for revenge but to make money,” says Williams. And once you’re part of the 1%, “if [a hacker] just wants money, the cost value tradeoff is literally zero.”

I met Williams in a funny way: He texted me from my own cellphone number, something I didn’t even realize was possible. He obtained my number in the first place after I deliberately told the world my Twitter password in order to demonstrate that newer, device-based authentication methods can make passwords irrelevant.

But a glaring flaw in Twitter’s account-security system lets anyone who obtains your password learn whatever mobile-phone number you’ve associated with your Twitter account if you turned on a simple but highly effective security measure. Among other things, it’s easy to spoof cellphone numbers, which can lead to all sorts of pranks — imagine someone texting the local police department from “your” phone, for example.

Thus, yesterday I was forced to change my cellphone number, which is pretty annoying, and not something I would have had to do if Twitter’s security worked the same way as it does on pretty much every other site, including Google.

I knew that revealing my password would invite hacking attempts, and in 24 hours I saw hundreds of requests to log into my account with the password I provided. But as far as I know, the second, device-based authentication factor in so-called two-factor authentication has withstood the assault.

In other words, I think I proved my point: Even when I exposed my password in as public a fashion as possible, my account remained secure. Inadvertently, I also revealed an issue with Twitter’s system that, should their engineers rectify it, will only make the system better.

And thanks to a day-long collaboration with Williams, I was able to learn a tremendous amount about how hackers work and how to defend yourself against them. He helped me lock down my own online life, and now, hopefully, you can use his insights to lock down yours.

Here are some critical steps:

1. Learn what two-factor authentication is, and turn it on.

Williams says that for most people, simply switching on two-factor authentication, which sends a code to your phone that you enter along with your password, will have a bigger impact on the security of online accounts than almost anything else.

If you want to be extra secure, there are two additional steps you can take. The first is to ditch the text messages altogether, since it is possible for a determined hacker to hijack your phone number.

For Google’s services and a host of others, including Outlook.com, Evernote and Dropbox, you can simply download an app called Google Authenticator to your phone, switch to two-factor authentication via this app, and then disconnect your Google account from your mobile number.

Now you’ll get your second factor — a numerical code — via this app, which has the advantage of sometimes being faster than receiving it via a text message. (It also works when you have no cell signal.) In effect, your phone becomes one of those security fobs with continuously updating security codes.

For Twitter, you can turn on app authentication within the Twitter app itself, which allows you to easily approve or deny any attempts to log in to your account, all without leaving the Twitter app. According to experts I talked to, this code-free approval system is the future of secure logins.

The problem with Twitter’s method is that it both requires and exposes your cellphone number. If you want to be super secure, you can get a (free) Google Voice number, give Twitter that one, and set it to forward to your existing cell phone. That way control over the number you use for two-factor authentication is inside Google’s security matrix, rather than, say, AT&T’s.

I asked Twitter why they require a phone number at all, and they responded that they want to have a place to send a backup code in case a person loses the phone that would otherwise be their sole link to Twitter. Williams’s opinion is that this is about Twitter’s convenience, not its customers, because Twitter doesn’t want to have to field calls from users who have lost both their device and the backup code Twitter asks you to print out and save in case you ever lose your device. As for exposing the phone number, Twitter’s folks didn’t really have an explanation, but they were receptive to my — and everyone else’s — feedback that exposing it is a terrible idea.

Google, by contrast, doesn’t require your phone number, but if you lose both your device and your backup codes, that’s it, you’re locked out of your account until (and if) a customer-service representative can help you.

Oh, and that reminds me: Everyone reading this should call your mobile carrier immediately, speak to a customer-service representative, and ask them to add a password to your (phone-based) account. Even better, make it a passphrase — something a few words long that only you will remember.

2. Get a password manager, and use it.

I know, I wrote that the password is dying. And for the average Joe or Jane willing to add two-factor to an account, I truly believe that doing so will make your accounts so much more secure than any password by itself. That basically renders the password obsolete on that account, freeing you to use whatever you like.

But if you have reason to be extra serious about security — you’re an important person in your professional or personal life, or you just have a lot of loot in the bank — it’s worth managing your passwords, as inconvenient as that can be.

Before you make your passwords more secure, get yourself a place to store them. Wall Street Journal personal technology columnist Geoff Fowler recommends Dashlane, and I second that, but there are plenty of options. Once you have a password manager installed, you can ask it to generate strong passwords for you, but at the very least you want to be using unique, only-for-that-site passwords on your critical accounts (email, banking, anyplace you’ve stored your credit card).

3. Review your password recovery questions.

This one surprised me. I’d never thought about the fact that every site has not just a front door, but a side door, plus a few windows. On most sites, two-factor authentication is like a force field around every entrance at once, but that doesn’t change the fact that if your password recovery question is “what is your mother’s maiden name?” that might as well be your password.

The problem, says Williams, is that social media has made it easier than ever to find the answer to these questions. “What’s your favorite book/movie/song?” isn’t hard to answer in a time when our favorites are plastered all over our Facebook accounts, as well as our relationships to our relatives, the names of our pets, etc.

If you take these three steps, you’re automatically making yourself difficult enough to hack into that most attackers simply won’t bother. But nothing, of course, can make you completely secure.

“If anyone wants to break into anything, they’re going to do it,” says Williams. “It’s not a question of whether they can, it’s a question of how long and at what cost. If you piss someone off enough they will get in; it’s just a matter of time and money.”

Security, online and off, is mostly about one thing: making yourself a less-attractive target than the next person.

Bonus: Don’t trust, and always verify.

The final piece of wisdom Williams imparted to me was how to avoid all the kinds of attacks that can defeat even the most paranoid identity verification procedures. That is, if someone tricks you, via a fake website linked from a spoofed email or through a piece of malicious software on your computer, into entering all of your login information in a place they can capture it, they can use that information to log in as you.

Williams’s rule is that if an email or other request feels the least bit weird, you should treat it as suspicious. Just because you got an email from your co-worker asking for a password for some plausible reason doesn’t mean it’s real. And that email from PayPal or your bank asking you to verify your login information most definitely isn’t.

A classic trick of hackers is to net some low-level employee via a fake email. Once they have access to their account, it’s trivial to continue sending a string of spoofed emails carrying a virus up the chain of command, one level at a time, because most people trust emails from their co-workers and immediate subordinates. “And before you know it you are into system admins for the entire company,” says Williams.

Or in other words, that’s how one misstep by your office administrator gets the entire company hacked.